Security Part 1: Auditing Operating

Systems and Networks

Auditing Operating Systems
Overview
Operating system:
Is a computer control program.
It allows users and their application to share
and access common computer resources
such as:
Processors.
Main memory.
Databases.
Printers.
Operating System Objectives
OS Tasks are as
follows:
Translate high-
level language
Allocate computer
resources
Manage tasks
Operating System Objectives
Translate high-level language
* It translates high-level languages, such as C++,
BASIC, and SQL, into the machine-level language
that the computer can execute.
* The language translator modules of the operating
system are called compilers and interpreters.
Operating System Objectives
Allocate computer resources
*The operating system allocates computer
resources to users, workgroups, and applications.
* This includes assigning memory work space to
applications and authorizing access to terminals,
telecommunications links, databases, and
printers.
Operating System Objectives
Manage tasks
*The operating system manages the task of
job scheduling and multiprogramming.
*At any point, numerous user applications (jobs)
are seeking access to the computer resources
under the control of the operating system.
Operating System Objectives
Jobs are submitted to
the system in 3 ways:
Directly by the system
operator.
From various batch-
job queues.
Through the
telecommunications
links from remote
workstations.
Operating System Objectives
Fundamental control objectives:
1. The operating system must
protect itself from users.
2. The operating system must
protect users from each
other.
3. The operating system must
protect users from
themselves.
4. The operating system must be
protected from itself.
5. The operating system must be
protected from its
environment.
Operating system
security
Overview
Operating system security:
It involves policies,
procedures and controls
that determine who can
access the operating
system, which resources
(files, programs,
printers) they can use
and that they can take.
Overview
Components of a secure operating
system:
1. Long- on procedure.
2. Access token.
3. Access control list.
4. Discretionary access privilege.
Long- on procedure
A formal log-on procedure is the operating systems
first line of defense against unauthorized access.
When the user initiates the process, he or she is
presented with a dialog box requesting the users ID and
password.
The system compares the ID and password to a
database of valid users.
Access Token
If the log-on attempt is successful, the operating system
creates an access token that contains key information
about the user, including:
user ID
Password
user group
and privileges granted to the user.
An access control list is assigned to each IT resource
(computer directory, data file, program, or printer), which
controls access to the resources.
These lists contain information that defines the access
privileges for all valid users of the resource.
Access Control List
The central system
administrator usually
determines who is
granted access to specific
resources and maintains
the access control list.
In distributed systems,
however, end users may
control (own) resources.
Resource owners in this setting
may be granted discretionary
access privileges, which allow
them to grant access privileges
to other users.
Discretionary Access Privileges
Threats to Operating System Integrity
Overview
Operating system control objectives may not be achieved
because of accidental or intentional threats.
Accidental threats include hardware failures or Errors in user
application programs.
Intentional threats to the operating system are most commonly
attempts to illegally access data or violate user privacy for
financial gain
Privileged
personnel who
abuse their
authority.
Individuals, both
internal and
external to the
organization, who
browse the
operating system to
identify and exploit
security flaws,
Individuals who
intentionally (or
accidentally) insert
computer viruses
or other forms of
destructive
programs into the
operating system.
Sources of Exposures
Operating
System Controls
and Audit Tests
If operating system integrity is compromised,
controls within individual accounting
applications that impact financial reporting
may also be compromised.
For this reason, the design and assessment
of operating system security controls are SOX
compliance issues.
Overview
Controlling Access Privileges
User access privileges are assigned to individuals or
workgroups authorized to use the system.
The way access privileges are assigned influences
system security.
Privileges should, therefore, be carefully administered
and closely monitored for compliance with
organizational policy and principles of internal control.
Audit Objectives Relating to Access Privileges
The auditors objective is to verify that access
privileges are granted in a manner that is
consistent with the need to separate
incompatible functions and is in accordance
with the organizations policy.
Audit Procedures Relating to Access Privileges
To achieve their objectives auditors may perform the
following tests of controls:
Review the organizations policies for separating
incompatible functions and ensure that they promote
reasonable security.
Review the privileges of a selection of user groups and
individuals to determine if their access rights are
appropriate for their job descriptions and positions.
Review personnel
records to determine
whether privileged
employees undergo
an adequately
intensive security
clearance check in
compliance with
company policy.
Review employee
records to determine
whether users have
formally
acknowledged their
responsibility to
maintain the
confidentiality of
company data.
Review the users
permitted log-on
times. Permission
should be
commensurate with
the tasks being
performed.
Audit Procedures Relating to Access Privileges
Password Control
A password is a secret code the
user enters to gain access to
systems, applications, data files,
or a network server.
Password Control
The most common forms of contra-security behavior include:
1. Forgetting passwords and being locked out of the system.
2. Failing to change passwords on a frequent basis.
3. The Post-it syndrome, whereby passwords are written down
and displayed for others to see.
4. Simplistic passwords that a computer criminal easily
anticipates.
Password Control
The most common
method of password
control is the reusable
password. The user
defines the password to
the system once and then
reuses it to gain future
access.
To improve access control, management
should require that passwords be changed
regularly and disallow weak passwords.
Software is available that automatically scans
password files and notifies users that their
passwords have expired and need to be
changed.
Password Control
The one-time password was
designed to overcome the
aforementioned problems.
Under this approach, the users
password changes continuously.
Password Control
Audit Objectives Relating to Passwords
The auditors objective here
is to ensure that the
organization has an
adequate and effective
password policy for
controlling access to the
operating system.
Audit Procedures Relating to Passwords
Tests to achieve this objective:
Verify that all users are required to have passwords.
Verify that new users are instructed in the use of passwords and
the importance of password control.
Review password control procedures to ensure that passwords
are changed regularly.
Review the password file to determine that weak passwords are
identified and disallowed.
Audit Procedures Relating to Passwords
Tests to achieve this objective:
Verify that the password file is encrypted and that the encryption
key is properly secured.
Assess the adequacy of password standards such as length and
expiration interval
Review the account lockout policy and procedures.




Controlling Against Malicious and Destructive
Programs
Threats from destructive
programs can be
substantially reduced
through a combination of
technology controls and
administrative procedures.
Controlling Against Malicious and Destructive Programs
The following examples are relevant to most operating
systems.
Purchase software only from reputable vendors and
accept only those products that are in their original,
factory-sealed packages.
Issue an entity-wide policy pertaining to the use of
unauthorized software or illegal copies of
copyrighted software.
Examine all upgrades to vendor software for viruses
before they are implemented.
Controlling Against Malicious and Destructive Programs
Inspect all public-domain software for virus infection
before using.
Establish entity-wide procedures for making changes
to production programs.
Establish an educational program to raise user
awareness regarding threats from viruses and
malicious programs.
Install all new applications on a stand-alone
computer and thoroughly test them with antiviral
software prior to implementing them on the
mainframe or local area network (LAN) server.
Controlling Against Malicious and Destructive Programs
Routinely make backup copies of key files stored
on mainframes, servers, and workstations.
Wherever possible, limit users to read and
execute rights only.
Require protocols that explicitly invoke the
operating systems log-on procedures to bypass
Trojan horses.
Use antiviral software (also called vaccines) to
examine application and operating system
programs for the presence of a virus and remove
it from the affected program.
Audit Objective Relating to Viruses
and Other Destructive Programs
The auditors
objective is to verify
that effective
management policies
and procedures are
in place to prevent
the introduction and
spread of destructive
programs, including
viruses, worms, back
doors, logic bombs,
and Trojan horses.
Audit Procedures Relating to Viruses and Other
Destructive Programs
Through interviews, determine that operations
personnel have been educated about computer
viruses and are aware of the risky computing
practices that can introduce and spread viruses and
other malicious programs.
Verify that new software is tested on standalone
workstations prior to being implemented on the host
or network server.
Verify that the current version of antiviral software is
installed on the server and that upgrades are
regularly downloaded to workstations.
System Audit Trail Controls
System audit trails are logs that record activity at the
system, application, and user level.
Audit trails typically consist of two types of audit logs:
(1) Detailed logs of individual keystrokes and
(2) event-oriented logs.
Keystroke monitoring involves recording
both the users keystrokes and the systems
responses.
Event monitoring summarizes key activities
related to system resources.
System Audit Trail Controls
Setting Audit Trail Objectives
Audit trails can be used to support security objectives in
three ways:
(1) Detecting unauthorized access to the system,
(2) Facilitating the reconstruction of events, and
(3) Promoting personal accountability.
Detecting unauthorized access
It can occur in real time or after the fact.
The primary objective of real- time detection is to
protect the system from outsiders attempting to breach
the system control.
Reconstructing Events
Audit trials analysis can be used to
reconstruct the steps that led to
events such as system failures or
security violations by individuals.
Personal Accountability
This capability is a preventive control that
can influence behaviour.
Individuals are less likely to violate an
organizations security policy when they
know that their actions are recorded in an
audit log.
Implementing a system audit
trial:
Information contained in audit logs is
useful to accountants in measuring
the potential damage and financial
loss associated with application
errors, abuse of authority, or
unauthorized access by outside
intruders.
Audit objectives relating to
system audit trail:
The auditors objective is insure that
the established system audit trial is
adequate for preventing and
detecting abuses.
Auditing Networks
Intranet Risk
Intranet consists of small LANs and large WANs
that may contain thousands of individual nodes.
Unauthorized and illegal employee activities
internally spawn intranet threats.
The threat of the employees is significant
because of their intimate knowledge of system
controls and/ or the lack of controls.
Interception of Network Messages
Network
administrator
routinely use
commercial
available sniffer
software to
analyze network
traffic and detect
bottlenecks
IP Spoofing
IP spoofing is a form of
masquerading to gain unauthorized
access to a Web server and/or to
perpetrate an unlawful act without
revelling ones identity.
Denial of Risk Attack.
SYN Attack.
Smurf Attack.
Internet Risk
Risk From Equipment
1.Communication
lines.
2.Hardware.
3.Software.
Controlling Networks
Controlling Risk from subversive threats:
Firewalls.
Controlling denial service attack.
Encryption.
Encryption is the conversion of data into secret code for
storage in databases and transmission over network.
Controlling Networks
Digital signatures.
Digital certificate.
Message sequence numbering.
Message transaction log.
Request- Response Technique.
Call- back devices.
Auditing Electronic
Data Interchange
(EDI)
Auditing Electronic Data Interchange
The intercompany
exchange of
computer-
processible
business
information in
standard format.
Benefits of EDI
Data keying.
Error reduction.
Reduction of
paper.
Automated
procedure.
Inventory
reduction.
Auditing PC- Based Accounting System
PC-System Risk and Control
Operating system
weaknesses.
Weak Access control.
Inadequate segregation of
duties.
Weak backup procedures.
Risk of virus infection

Thank You